2018-07-21 17:17:59 |
Jakob Englisch |
bug |
|
|
added bug |
2018-07-21 17:36:13 |
Jakob Englisch |
description |
Env Details:
Openstack version: Queens (17.0.5)
OS: CentOS 7.5
LDAP: Active Directory, Windows Server 2012R2
We changed the user_id_attribute to sAMAccountName when configuring keystone. [ user_id_attribute = "sAMAccountName" ; group_members_are_ids = False ]. Unfortunately this bricks the group mapping logic in keystone.
The relevant code in keystone:
`list_users_in_group` [1] -> gets all groups from the LDAP server, and then calls `_transform_group_member_ids`. `_transform_group_member_ids` tries to match the user ids (for posixGroups e.g.) or the DN. However DN matching does not match the full DN. It rather takes the first RDN of the DN and computes the keystone user id [2]. The first RDN in Active Directory is the "CN". While the user-create part honors the user_id_attribute and takes "sAMAccountName" in our configuration. The generated user-ids in keystone now do not match anymore and hence group mapping is broken.
A fix could be looking up the user by the DN received from the 'member' attribute of a given group and compare the configured 'user_id_attribute' of the received ldap user id and the in keystone stored user id. A quick fix could also be to mention that behavior in the documentation.
[1] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L1285
[2] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L126
[3] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L1296 |
Env Details:
Openstack version: Queens (17.0.5)
OS: CentOS 7.5
LDAP: Active Directory, Windows Server 2012R2
We changed the user_id_attribute to sAMAccountName when configuring keystone. [ user_id_attribute = "sAMAccountName" ; group_members_are_ids = False ]. Unfortunately this bricks the group mapping logic in keystone.
The relevant code in keystone:
`list_users_in_group` [1] -> gets all groups from the LDAP server, and then calls `_transform_group_member_ids`. `_transform_group_member_ids` tries to match the user ids (for posixGroups e.g.) or the DN. However DN matching does not match the full DN. It rather takes the first RDN of the DN and computes the keystone user id [2]. The first RDN in Active Directory is the "CN". While the user-create part honors the user_id_attribute and takes "sAMAccountName" in our configuration. The generated user-ids in keystone now do not match anymore and hence group mapping is broken.
A fix could be looking up the user by the DN received from the 'member' attribute of a given group and compare the configured 'user_id_attribute' of the received ldap user id and the in keystone stored user id. A quick fix could also be to mention that behavior in the documentation.
/e: related https://bugs.launchpad.net/keystone/+bug/1231488/comments/19
[1] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L1285
[2] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L126
[3] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L1296 |
|
2018-08-01 21:46:51 |
Lance Bragstad |
keystone: status |
New |
Triaged |
|
2018-08-01 21:46:54 |
Lance Bragstad |
keystone: importance |
Undecided |
Medium |
|
2018-10-10 08:00:45 |
Colleen Murphy |
tags |
|
ldap |
|
2018-11-21 20:21:58 |
Kundai Andrew Midzi |
bug |
|
|
added subscriber Kundai Andrew Midzi |
2019-06-20 13:30:24 |
OpenStack Infra |
keystone: status |
Triaged |
In Progress |
|
2019-06-20 13:30:24 |
OpenStack Infra |
keystone: assignee |
|
Corey Bryant (corey.bryant) |
|
2019-06-20 13:32:18 |
Corey Bryant |
bug task added |
|
keystone (Ubuntu) |
|
2019-06-20 13:32:27 |
Corey Bryant |
keystone (Ubuntu): status |
New |
Triaged |
|
2019-06-20 13:32:37 |
Corey Bryant |
keystone (Ubuntu): importance |
Undecided |
Medium |
|
2019-06-20 13:33:02 |
Corey Bryant |
nominated for series |
|
Ubuntu Cosmic |
|
2019-06-20 13:33:02 |
Corey Bryant |
bug task added |
|
keystone (Ubuntu Cosmic) |
|
2019-06-20 13:33:02 |
Corey Bryant |
nominated for series |
|
Ubuntu Eoan |
|
2019-06-20 13:33:02 |
Corey Bryant |
bug task added |
|
keystone (Ubuntu Eoan) |
|
2019-06-20 13:33:02 |
Corey Bryant |
nominated for series |
|
Ubuntu Bionic |
|
2019-06-20 13:33:02 |
Corey Bryant |
bug task added |
|
keystone (Ubuntu Bionic) |
|
2019-06-20 13:33:02 |
Corey Bryant |
nominated for series |
|
Ubuntu Disco |
|
2019-06-20 13:33:02 |
Corey Bryant |
bug task added |
|
keystone (Ubuntu Disco) |
|
2019-06-20 13:33:11 |
Corey Bryant |
keystone (Ubuntu Bionic): status |
New |
Triaged |
|
2019-06-20 13:33:13 |
Corey Bryant |
keystone (Ubuntu Cosmic): status |
New |
Triaged |
|
2019-06-20 13:33:16 |
Corey Bryant |
keystone (Ubuntu Disco): status |
New |
Triaged |
|
2019-06-20 13:33:18 |
Corey Bryant |
keystone (Ubuntu Cosmic): importance |
Undecided |
Medium |
|
2019-06-20 13:33:21 |
Corey Bryant |
keystone (Ubuntu Bionic): importance |
Undecided |
Medium |
|
2019-06-20 13:33:25 |
Corey Bryant |
keystone (Ubuntu Disco): importance |
Undecided |
Medium |
|
2019-06-20 13:33:36 |
Corey Bryant |
bug task added |
|
cloud-archive |
|
2019-06-20 13:33:50 |
Corey Bryant |
nominated for series |
|
cloud-archive/stein |
|
2019-06-20 13:33:50 |
Corey Bryant |
bug task added |
|
cloud-archive/stein |
|
2019-06-20 13:33:50 |
Corey Bryant |
nominated for series |
|
cloud-archive/queens |
|
2019-06-20 13:33:50 |
Corey Bryant |
bug task added |
|
cloud-archive/queens |
|
2019-06-20 13:33:50 |
Corey Bryant |
nominated for series |
|
cloud-archive/train |
|
2019-06-20 13:33:50 |
Corey Bryant |
bug task added |
|
cloud-archive/train |
|
2019-06-20 13:33:50 |
Corey Bryant |
nominated for series |
|
cloud-archive/rocky |
|
2019-06-20 13:33:50 |
Corey Bryant |
bug task added |
|
cloud-archive/rocky |
|
2019-06-20 13:34:07 |
Corey Bryant |
cloud-archive/queens: importance |
Undecided |
Medium |
|
2019-06-20 13:34:07 |
Corey Bryant |
cloud-archive/queens: status |
New |
Triaged |
|
2019-06-20 13:34:21 |
Corey Bryant |
cloud-archive/rocky: importance |
Undecided |
Medium |
|
2019-06-20 13:34:21 |
Corey Bryant |
cloud-archive/rocky: status |
New |
Triaged |
|
2019-06-20 13:34:34 |
Corey Bryant |
cloud-archive/stein: importance |
Undecided |
Medium |
|
2019-06-20 13:34:34 |
Corey Bryant |
cloud-archive/stein: status |
New |
Triaged |
|
2019-06-20 13:34:47 |
Corey Bryant |
cloud-archive/train: importance |
Undecided |
Medium |
|
2019-06-20 13:34:47 |
Corey Bryant |
cloud-archive/train: status |
New |
Triaged |
|
2019-06-20 13:57:44 |
Corey Bryant |
attachment added |
|
bug-1782922-initial-testing-details.txt https://bugs.launchpad.net/keystone/+bug/1782922/+attachment/5271834/+files/bug-1782922-initial-testing-details.txt |
|
2019-07-20 00:48:48 |
OpenStack Infra |
keystone: assignee |
Corey Bryant (corey.bryant) |
Guang Yee (guang-yee) |
|
2019-07-23 18:52:21 |
OpenStack Infra |
keystone: status |
In Progress |
Fix Released |
|
2019-07-30 15:38:24 |
Chris Sanders |
bug |
|
|
added subscriber Canonical Field High |
2019-08-29 18:45:30 |
OpenStack Infra |
cloud-archive/stein: status |
Triaged |
Fix Committed |
|
2019-08-29 18:45:46 |
OpenStack Infra |
cloud-archive/rocky: status |
Triaged |
Fix Committed |
|
2019-09-03 18:39:21 |
OpenStack Infra |
cloud-archive/queens: status |
Triaged |
Fix Committed |
|
2019-09-18 06:12:25 |
Edward Hope-Morley |
tags |
ldap |
ldap sts-sru-needed |
|
2019-09-18 08:32:47 |
Corey Bryant |
cloud-archive/train: status |
Triaged |
Fix Released |
|
2019-09-18 09:09:51 |
Corey Bryant |
cloud-archive/stein: status |
Fix Committed |
New |
|
2019-09-18 09:10:03 |
Corey Bryant |
cloud-archive/stein: status |
New |
Triaged |
|
2019-09-18 09:10:14 |
Corey Bryant |
cloud-archive/rocky: status |
Fix Committed |
Triaged |
|
2019-09-18 09:10:24 |
Corey Bryant |
cloud-archive/queens: status |
Fix Committed |
Triaged |
|
2019-09-18 09:56:57 |
Corey Bryant |
keystone (Ubuntu Eoan): status |
Triaged |
Fix Released |
|
2019-09-18 10:02:47 |
Corey Bryant |
keystone (Ubuntu Cosmic): status |
Triaged |
Won't Fix |
|
2019-09-27 22:27:59 |
Steve Langasek |
keystone (Ubuntu Disco): status |
Triaged |
Incomplete |
|
2019-09-30 09:57:37 |
Łukasz Zemczak |
description |
Env Details:
Openstack version: Queens (17.0.5)
OS: CentOS 7.5
LDAP: Active Directory, Windows Server 2012R2
We changed the user_id_attribute to sAMAccountName when configuring keystone. [ user_id_attribute = "sAMAccountName" ; group_members_are_ids = False ]. Unfortunately this bricks the group mapping logic in keystone.
The relevant code in keystone:
`list_users_in_group` [1] -> gets all groups from the LDAP server, and then calls `_transform_group_member_ids`. `_transform_group_member_ids` tries to match the user ids (for posixGroups e.g.) or the DN. However DN matching does not match the full DN. It rather takes the first RDN of the DN and computes the keystone user id [2]. The first RDN in Active Directory is the "CN". While the user-create part honors the user_id_attribute and takes "sAMAccountName" in our configuration. The generated user-ids in keystone now do not match anymore and hence group mapping is broken.
A fix could be looking up the user by the DN received from the 'member' attribute of a given group and compare the configured 'user_id_attribute' of the received ldap user id and the in keystone stored user id. A quick fix could also be to mention that behavior in the documentation.
/e: related https://bugs.launchpad.net/keystone/+bug/1231488/comments/19
[1] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L1285
[2] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L126
[3] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L1296 |
[Impact]
When using the keystone LDAP backend, changing user_id_attribute breaks group mapping. This is because the _dn_to_id() method only calculated the uid to be the first RDN of the DN. _dn_to_id() is updated in the fix to also deal with the case where the uid is set to a different attribute.
[Test Case]
See details in comment #5: https://bugs.launchpad.net/keystone/+bug/1782922/comments/5
[Regression Potential]
The patch takes a minimal approach to the fix and includes unit tests to help ensure the patched code doesn't regress. The patches have landed in all upstream releases back to stable/queens which helps get even more exposure with upstream reviews, gate testing and real deployments.
[Original Description]
Env Details:
Openstack version: Queens (17.0.5)
OS: CentOS 7.5
LDAP: Active Directory, Windows Server 2012R2
We changed the user_id_attribute to sAMAccountName when configuring keystone. [ user_id_attribute = "sAMAccountName" ; group_members_are_ids = False ]. Unfortunately this bricks the group mapping logic in keystone.
The relevant code in keystone:
`list_users_in_group` [1] -> gets all groups from the LDAP server, and then calls `_transform_group_member_ids`. `_transform_group_member_ids` tries to match the user ids (for posixGroups e.g.) or the DN. However DN matching does not match the full DN. It rather takes the first RDN of the DN and computes the keystone user id [2]. The first RDN in Active Directory is the "CN". While the user-create part honors the user_id_attribute and takes "sAMAccountName" in our configuration. The generated user-ids in keystone now do not match anymore and hence group mapping is broken.
A fix could be looking up the user by the DN received from the 'member' attribute of a given group and compare the configured 'user_id_attribute' of the received ldap user id and the in keystone stored user id. A quick fix could also be to mention that behavior in the documentation.
/e: related https://bugs.launchpad.net/keystone/+bug/1231488/comments/19
[1] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L1285
[2] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L126
[3] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L1296 |
|
2019-09-30 09:57:50 |
Łukasz Zemczak |
keystone (Ubuntu Disco): status |
Incomplete |
Fix Committed |
|
2019-09-30 09:57:52 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2019-09-30 09:57:55 |
Łukasz Zemczak |
bug |
|
|
added subscriber SRU Verification |
2019-09-30 09:57:58 |
Łukasz Zemczak |
tags |
ldap sts-sru-needed |
ldap sts-sru-needed verification-needed verification-needed-disco |
|
2019-10-22 12:29:48 |
Corey Bryant |
cloud-archive/rocky: status |
Triaged |
Fix Committed |
|
2019-10-22 12:29:50 |
Corey Bryant |
tags |
ldap sts-sru-needed verification-needed verification-needed-disco |
ldap sts-sru-needed verification-needed verification-needed-disco verification-rocky-needed |
|
2019-10-22 12:31:48 |
Corey Bryant |
cloud-archive/stein: status |
Triaged |
Fix Committed |
|
2019-10-22 12:31:50 |
Corey Bryant |
tags |
ldap sts-sru-needed verification-needed verification-needed-disco verification-rocky-needed |
ldap sts-sru-needed verification-needed verification-needed-disco verification-rocky-needed verification-stein-needed |
|
2019-10-25 08:44:28 |
Timo Aaltonen |
keystone (Ubuntu Bionic): status |
Triaged |
Fix Committed |
|
2019-10-25 08:44:37 |
Timo Aaltonen |
tags |
ldap sts-sru-needed verification-needed verification-needed-disco verification-rocky-needed verification-stein-needed |
ldap sts-sru-needed verification-needed verification-needed-bionic verification-needed-disco verification-rocky-needed verification-stein-needed |
|
2019-10-29 20:24:25 |
Corey Bryant |
attachment removed |
bug-1782922-initial-testing-details.txt https://bugs.launchpad.net/keystone/+bug/1782922/+attachment/5271834/+files/bug-1782922-initial-testing-details.txt |
|
|
2019-10-29 20:25:48 |
Corey Bryant |
attachment added |
|
bug-1782922-testing.txt https://bugs.launchpad.net/keystone/+bug/1782922/+attachment/5301241/+files/bug-1782922-testing.txt |
|
2019-10-29 20:26:28 |
Corey Bryant |
description |
[Impact]
When using the keystone LDAP backend, changing user_id_attribute breaks group mapping. This is because the _dn_to_id() method only calculated the uid to be the first RDN of the DN. _dn_to_id() is updated in the fix to also deal with the case where the uid is set to a different attribute.
[Test Case]
See details in comment #5: https://bugs.launchpad.net/keystone/+bug/1782922/comments/5
[Regression Potential]
The patch takes a minimal approach to the fix and includes unit tests to help ensure the patched code doesn't regress. The patches have landed in all upstream releases back to stable/queens which helps get even more exposure with upstream reviews, gate testing and real deployments.
[Original Description]
Env Details:
Openstack version: Queens (17.0.5)
OS: CentOS 7.5
LDAP: Active Directory, Windows Server 2012R2
We changed the user_id_attribute to sAMAccountName when configuring keystone. [ user_id_attribute = "sAMAccountName" ; group_members_are_ids = False ]. Unfortunately this bricks the group mapping logic in keystone.
The relevant code in keystone:
`list_users_in_group` [1] -> gets all groups from the LDAP server, and then calls `_transform_group_member_ids`. `_transform_group_member_ids` tries to match the user ids (for posixGroups e.g.) or the DN. However DN matching does not match the full DN. It rather takes the first RDN of the DN and computes the keystone user id [2]. The first RDN in Active Directory is the "CN". While the user-create part honors the user_id_attribute and takes "sAMAccountName" in our configuration. The generated user-ids in keystone now do not match anymore and hence group mapping is broken.
A fix could be looking up the user by the DN received from the 'member' attribute of a given group and compare the configured 'user_id_attribute' of the received ldap user id and the in keystone stored user id. A quick fix could also be to mention that behavior in the documentation.
/e: related https://bugs.launchpad.net/keystone/+bug/1231488/comments/19
[1] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L1285
[2] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L126
[3] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L1296 |
[Impact]
When using the keystone LDAP backend, changing user_id_attribute breaks group mapping. This is because the _dn_to_id() method only calculated the uid to be the first RDN of the DN. _dn_to_id() is updated in the fix to also deal with the case where the uid is set to a different attribute.
[Test Case]
See details in comment #25: https://bugs.launchpad.net/keystone/+bug/1782922/comments/25
[Regression Potential]
The patch takes a minimal approach to the fix and includes unit tests to help ensure the patched code doesn't regress. The patches have landed in all upstream releases back to stable/queens which helps get even more exposure with upstream reviews, gate testing and real deployments.
[Original Description]
Env Details:
Openstack version: Queens (17.0.5)
OS: CentOS 7.5
LDAP: Active Directory, Windows Server 2012R2
We changed the user_id_attribute to sAMAccountName when configuring keystone. [ user_id_attribute = "sAMAccountName" ; group_members_are_ids = False ]. Unfortunately this bricks the group mapping logic in keystone.
The relevant code in keystone:
`list_users_in_group` [1] -> gets all groups from the LDAP server, and then calls `_transform_group_member_ids`. `_transform_group_member_ids` tries to match the user ids (for posixGroups e.g.) or the DN. However DN matching does not match the full DN. It rather takes the first RDN of the DN and computes the keystone user id [2]. The first RDN in Active Directory is the "CN". While the user-create part honors the user_id_attribute and takes "sAMAccountName" in our configuration. The generated user-ids in keystone now do not match anymore and hence group mapping is broken.
A fix could be looking up the user by the DN received from the 'member' attribute of a given group and compare the configured 'user_id_attribute' of the received ldap user id and the in keystone stored user id. A quick fix could also be to mention that behavior in the documentation.
/e: related https://bugs.launchpad.net/keystone/+bug/1231488/comments/19
[1] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L1285
[2] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L126
[3] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L1296 |
|
2019-10-29 20:28:49 |
Corey Bryant |
tags |
ldap sts-sru-needed verification-needed verification-needed-bionic verification-needed-disco verification-rocky-needed verification-stein-needed |
ldap sts-sru-needed verification-done-disco verification-needed verification-needed-bionic verification-rocky-needed verification-stein-needed |
|
2019-10-30 13:20:12 |
Corey Bryant |
attachment removed |
bug-1782922-testing.txt https://bugs.launchpad.net/keystone/+bug/1782922/+attachment/5301241/+files/bug-1782922-testing.txt |
|
|
2019-10-30 13:21:21 |
Corey Bryant |
attachment added |
|
bug-1782922-testing.txt https://bugs.launchpad.net/keystone/+bug/1782922/+attachment/5301394/+files/bug-1782922-testing.txt |
|
2019-10-30 13:21:23 |
Corey Bryant |
attachment added |
|
bug-1782922-testing.txt https://bugs.launchpad.net/keystone/+bug/1782922/+attachment/5301395/+files/bug-1782922-testing.txt |
|
2019-10-30 13:34:21 |
Corey Bryant |
tags |
ldap sts-sru-needed verification-done-disco verification-needed verification-needed-bionic verification-rocky-needed verification-stein-needed |
ldap sts-sru-needed verification-done-disco verification-failed-bionic verification-needed verification-rocky-done verification-stein-done |
|
2019-11-04 13:24:35 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2019-11-04 13:34:39 |
Launchpad Janitor |
keystone (Ubuntu Disco): status |
Fix Committed |
Fix Released |
|
2019-11-04 14:12:40 |
Corey Bryant |
cloud-archive/stein: status |
Fix Committed |
Fix Released |
|
2019-11-05 18:39:04 |
Corey Bryant |
cloud-archive/rocky: status |
Fix Committed |
Fix Released |
|
2019-11-21 19:07:36 |
Corey Bryant |
cloud-archive/queens: status |
Triaged |
Fix Committed |
|
2019-11-21 19:07:38 |
Corey Bryant |
tags |
ldap sts-sru-needed verification-done-disco verification-failed-bionic verification-needed verification-rocky-done verification-stein-done |
ldap sts-sru-needed verification-done-disco verification-failed-bionic verification-needed verification-queens-needed verification-rocky-done verification-stein-done |
|
2019-11-27 02:55:01 |
Felipe Reyes |
tags |
ldap sts-sru-needed verification-done-disco verification-failed-bionic verification-needed verification-queens-needed verification-rocky-done verification-stein-done |
ldap sts-sru-needed verification-done-bionic verification-done-disco verification-needed verification-queens-needed verification-rocky-done verification-stein-done |
|
2019-11-28 01:10:25 |
Felipe Reyes |
tags |
ldap sts-sru-needed verification-done-bionic verification-done-disco verification-needed verification-queens-needed verification-rocky-done verification-stein-done |
ldap sts-sru-needed verification-done-bionic verification-done-disco verification-needed verification-queens-done verification-rocky-done verification-stein-done |
|
2019-11-28 01:10:55 |
Felipe Reyes |
tags |
ldap sts-sru-needed verification-done-bionic verification-done-disco verification-needed verification-queens-done verification-rocky-done verification-stein-done |
ldap sts-sru-needed verification-done verification-done-bionic verification-done-disco verification-queens-done verification-rocky-done verification-stein-done |
|
2020-01-14 15:20:16 |
Corey Bryant |
cloud-archive: status |
Triaged |
Fix Released |
|
2020-01-15 00:31:14 |
Launchpad Janitor |
keystone (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2020-01-15 17:19:11 |
Dorina Timbur |
bug |
|
|
added subscriber Dorina Timbur |
2020-01-27 15:12:16 |
Corey Bryant |
cloud-archive/queens: status |
Fix Committed |
Fix Released |
|